In today’s world, the term “computer hacker” is used to describe criminals that break into computer systems that they are not authorized to have access to. Despite the stigma that you average person attaches to hackers, the vast majority of them are not all that intelligent. In fact, most self-proclaimed computer hackers are nothing more than wannabes, referred to as “script kiddies” or “code kiddies”.
Though web page defacements and customer databases being compromised often make the news, the truth is that these types of attacks do not often require very advanced technical skills. Some may wonder how I could possibly know anything about computer hackers? Who am I to tell you any of this? I was one of them.
From an early age, I was drawn to the dark side of the internet. I can remember when I was twelve was when I began reading gtmhh by Carolyn Meinel. Soon after was the first time that I played with Sub7 and Netbus, two script kiddie programs used for backdooring, or maintaining unauthorized access to infected computer systems.
The hacker's language
By the time I was seventeen, when I wasn’t out making other stupid decisions, I was hanging out in nefarious channels (chat rooms) in IRC (Internet Relay Chat). I had already begun programming in Visual Basic and Microsoft Visual C++, two computer programming languages used to develop computer software. I was already dual booting Debian Linux (Linux is the hacker’s favorite Operating System) and Windows. Dual booting means that I had a bootloader (I used Grub) that would allow me to select which operating system I wanted to use whenever I started the computer.
The cool thing about C++ is that if you know C++ then you pretty much already know C, which is the programming language that Linux uses almost exclusively to build applications. In fact, most Linux programs are open-source, meaning that you can download files with text in them that are filled with the program code. When you compile source code it becomes binary and usually takes the form of an executable file. In Windows, those files end with “.exe” but in Linux they have no extension. The wonderful thing about having source code for programs is that you can easily tweak the program. You can make dramatic improvements, or add backdoors and redistribute the code, just to name a few options.
It didn’t take long for me to begin port scanning University networks using programs like nmap. I was able to find internet protocol (ip for short) address ranges for school networks using a service called whois that is widely available. This data not only stores registrant names and contact information, but allows for one to find ip ranges of various business and/or government computer networks for scanning.
When one scans ports, they are scanning services running on those computers. When you are visiting this website for instance, it is running on port 80. If you have ever managed a website then you’ll know that the file transfer protocol (ftp) service often runs on port 21. The sendmail service that spammers have used to send you all that awful spam often runs on port 25, though now they run their mail servers on hosts that they compromise with their massive botnets – but that’s another hacking story. Scanning ports allows for you to not only see what services are running, but specifically what versions of those services are running, enabling you to see if they’re vulnerable to known exploits.
Script kiddies frequently download public exploit source code from hacking sites like Milw0rm. They have virtually no programming knowledge and they are often too lazy or ignorant to learn to find their own exploits. At that point I fit two out of three of those criterion and thus, could have been accurately referred to a script kiddie. It didn’t take me long to compromise my first university network. I found services that were passworded, except the passwords were easily guessable and likely default passwords for the install. I found vulnerable telnet services running on several key computers, on which I used what we call a buffer overflow. The most common exploits are buffer overflows or for webservers, remote file inclusion vulnerabilities.
Attacks are the next step
Here I am going to present an extremely condensed definition of what a buffer overflow is.
There are two kinds of buffer overflows, stack and heap. When a program of service takes input, either from the user, other computers on a network or other programs on the computer and a plethora of other possibilities, the data is often stored in a buffer. When a program is executed it sets aside a certain amount of memory needed to store data based on the specifications of the original programmer. Sometimes when programmers have not programmed software to parse data it receives properly, the input can exceed the size of the buffer and the program will attempt to use it anyway. This will often result in a crash and sometimes in addition, the bug can alter memory on the computer to cause the operating system, program, or other programs to behave in an unintended fashion. Hackers have learned to use bugs like this to their advantage by engineering them in such a way so as to trick the operating system into downloading and executing a trojan, or connecting to a remote shell where the hacker can maintain full control over the system. There are just too many possibilities to address them all.
Remote File Inclusion vulnerabilities are typically present in php (.php) scripts that don’t parse input properly, allowing an attacker to trick them into executing an external malicious php script called a shell, that will often give them full control of the server.
Before long, I wrote my first piece malware. I operated a botnet that was comprised of several thousand compromised computers. A botnet is typically a large network of computers where each of them contains a piece of malicious software called a trojan. Usually, these trojans connect to an external server for which the hacker/code kiddie hardcoded the address into the trojan. These are often IRC servers where the attacker can login to each individual machine or all of them at once in a chat channel. From there, he can use them to infect other computers, delete files, search files, see every keystroke pressed on each computer, retrieve passwords saved by Internet explorer or firefox or he can use them to attack other computers disrupting their internet connection – called a DDoS attack.
After I had defaced a few no-name web pages, compromised a university network, broke into a Russian server that was hosting terabytes of illegal bootlegged software, got email accounts logins, bank account logins, credit card numbers, got into ftp servers and other devices connected to various networks.
The art of social engineering hacking
Social engineering is when you conduct research on a target, learn about their operations and corporate structure and then typically you exchange scan them to uncover internal phone numbers. After that, you call posing as an employee with a credible reason for speaking to a person in order to trick them into divulging information that will compromise their network.
The last technique is by far the most effective. Exploit scanning or finding 0day vulnerabilities is effective, social engineering users into infecting themselves with malware, exploiting browser vulnerabilities, and brute force password cracking for default passwords are all effective some of the time but the weakest link is ALWAYS the people who are already inside the network.
I was never a Kevin D. Mitnick. I was not incredibly well-known and was involved in very few high-profile hacks but I learned plenty. Thankfully I quit while I was ahead. I was fortunate that I was not a high priority for the FBI because I can assure you, if I was then I would have been caught. I’m positive that even now, those guys know exactly who I am.
I never wanted to be a criminal. To me, I was just exploring and experimenting with something that fascinated me. Sure, my actions violated people’s privacy but I never once tried to use any of the credit card numbers or bank logins that I had gleaned. They were all just trophies to me. I am thankful that I was only involved in these activities long enough to learn what I learned and get out unscathed. There aren’t many people that can say the same. It is truly an addiction and the only way that I know of to break it is to really think about what you love more. I wanted a better future for myself that didn’t involve a federal penitentiary. What do you want?